http://www.cy075.cn/2004/奥比特.rar
http://www.cy079.cn/4.htm 原地址链接
一、双变单(使程序把自己当成子进程运行)
bp OpenMutexA
Ctrl+G:00401000
00401000 60 pushad
00401001 9C pushfd
00401002 68 A0FD1200 push 12FDA0 ; ASCII "44C::DA47D45903"
00401007 33C0 xor eax,eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 E694A677 call KERNEL32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 - E9 8F9FA777 jmp KERNEL32.OpenMutexA
60 9C 68 A0 FD 12 00 33 C0 50 50 E8 71 8D A8 77 9D 61 E9 74 8E A8 77
二、避开Anti
he OutputDebugStringA
中断2次!
选中%s%之类的字符,点右键->二进制->使用00填充
删除此断点!
三、Magic Jump,避开IAT加密
PS:很奇怪的就是用he GetModuleHandleA+5,却找不到Magic Jump!
bp GetModuleHandleA/he GetModuleHandleA
77E80B1A KE> 55 push ebp //断下,取消这个断点
77E80B1B 8BEC mov ebp,esp
77E80B1D 837D 08 00 cmp dword ptr ss:[ebp+8],0
77E80B21 75 0E jnz short KERNEL32.77E80B31 //F2下断,Shift+F9,断下!注意堆栈!
77E80B23 64:A1 18000000 mov eax,dword ptr fs:[18]
77E80B29 8B40 30 mov eax,dword ptr ds:[eax+30]
77E80B2C 8B40 08 mov eax,dword ptr ds:[eax+8]
001292A4 /0012EBB0
001292A8 |01066AC2 返回到 01066AC2 来自 KERNEL32.GetModuleHandleA
001292AC |0107BD6C ASCII "kernel32.dll"
001292B0 |0107DDAC ASCII "VirtualAlloc"
001292A4 /0012EBB0
001292A8 |01066ADF 返回到 01066ADF 来自 KERNEL32.GetModuleHandleA
001292AC |0107BD6C ASCII "kernel32.dll"
001292B0 |0107DDA0 ASCII "VirtualFree"
00129008 /001292A8
0012900C |01055A99 返回到 01055A99 来自 KERNEL32.GetModuleHandleA
00129010 |0012915C ASCII "kernel32.dll" //取消断点,返回!
01055A99 8B0D 6C500801 mov ecx,dword ptr ds:[108506C] //返回到这里!
01055A9F 89040E mov dword ptr ds:[esi+ecx],eax
01055AA2 A1 6C500801 mov eax,dword ptr ds:[108506C]
01055AA7 391C06 cmp dword ptr ds:[esi+eax],ebx
01055AAA 75 16 jnz short 01055AC2
01055AAC 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
01055AB2 50 push eax
01055AB3 FF15 B8620701 call dword ptr ds:[10762B8] ; KERNEL32.LoadLibraryA
01055AB9 8B0D 6C500801 mov ecx,dword ptr ds:[108506C]
01055ABF 89040E mov dword ptr ds:[esi+ecx],eax
01055AC2 A1 6C500801 mov eax,dword ptr ds:[108506C]
01055AC7 391C06 cmp dword ptr ds:[esi+eax],ebx
01055ACA 0F84 2F010000 je 01055BFF //Magic Jump,改jmp!
01055AD0 33C9 xor ecx,ecx
01055AD2 8B07 mov eax,dword ptr ds:[edi]
01055AD4 3918 cmp dword ptr ds:[eax],ebx
01055AD6 74 06 je short 01055ADE
01055AD8 41 inc ecx
01055AD9 83C0 0C add eax,0C
往下拉,找如此类似的序列(一个jnz,一个jmp,两个salc/Magic Jump)
也可以这样做:Ctrl+F在当前位置查找命令: salc
01055C0E ^\0F85 49FEFFFF jnz 01055A5D
01055C14 EB 03 jmp short 01055C19 //F2下断,Shift+F9,断下!取消断点!
01055C16 D6 salc
01055C17 D6 salc
重要:断下后,记得要撤消Magic Jump处的修改!
为何要这样做?我发现程序在下面会依据原先的代码进行解码,
以前下 硬件断点 操作没有修改原代码,所以解码正确。
而直接修改Magic Jump后改变了原先的代码,导致解码不正确而异常出错!
现在我们在解码以前恢复原先的代码,因此就不会再出错了!
此时,打开内存镜像,在00401000段下断,Shift+F9直达OEP!
01070324 8B0C3A mov ecx,dword ptr ds:[edx+edi] //来到这里,F8
01070327 5B pop ebx
01070328 03D7 add edx,edi
0107032A A1 A4100801 mov eax,dword ptr ds:[10810A4]
0107032F 3148 70 xor dword ptr ds:[eax+70],ecx
01070332 A1 A4100801 mov eax,dword ptr ds:[10810A4]
01070337 3148 70 xor dword ptr ds:[eax+70],ecx
0107033A A1 A4100801 mov eax,dword ptr ds:[10810A4]
0107033F 8B16 mov edx,dword ptr ds:[esi]
01070341 8B88 8400000>mov ecx,dword ptr ds:[eax+84]
01070347 3348 60 xor ecx,dword ptr ds:[eax+60]
0107034A 3348 34 xor ecx,dword ptr ds:[eax+34]
0107034D 030D BC10080>add ecx,dword ptr ds:[10810BC] ; FlyWoool.00400000
01070353 85D2 test edx,edx
01070355 75 1E jnz short 01070375
01070357 8B90 8800000>mov edx,dword ptr ds:[eax+88]
0107035D FF76 18 push dword ptr ds:[esi+18]
01070360 3390 8400000>xor edx,dword ptr ds:[eax+84]
01070366 FF76 14 push dword ptr ds:[esi+14]
01070369 3350 40 xor edx,dword ptr ds:[eax+40]
0107036C FF76 10 push dword ptr ds:[esi+10]
0107036F 2BCA sub ecx,edx
01070371 FFD1 call ecx
01070373 /EB 23 jmp short 01070398
01070375 |83FA 01 cmp edx,1
01070378 |75 21 jnz short 0107039B
0107037A |FF76 04 push dword ptr ds:[esi+4]
0107037D |8B90 8800000>mov edx,dword ptr ds:[eax+88]
01070383 |3390 8400000>xor edx,dword ptr ds:[eax+84]
01070389 |FF76 08 push dword ptr ds:[esi+8]
0107038C |3350 40 xor edx,dword ptr ds:[eax+40]
0107038F |6A 00 push 0
01070391 |FF76 0C push dword ptr ds:[esi+C]
01070394 |2BCA sub ecx,edx
01070396 |FFD1 call ecx ; FlyWoool.004B79A6 //F7进去!直接到达OEP!
004B79A6 6A 60 push 60 //OEP!
004B79A8 68 00235D00 push FlyWoool.005D2300
004B79AD E8 26070000 call FlyWoool.004B80D8
004B79B2 BF 94000000 mov edi,94
004B79B7 8BC7 mov eax,edi
004B79B9 E8 E2D1FFFF call FlyWoool.004B4BA0
004B79BE 8965 E8 mov dword ptr ss:[ebp-18],esp
004B79C1 8BF4 mov esi,esp
004B79C3 893E mov dword ptr ds:[esi],edi
004B79C5 56 push esi
004B79C6 FF15 A4445B00 call dword ptr ds:[5B44A4] ; KERNEL32.GetVersionExA
004B79CC 8B4E 10 mov ecx,dword ptr ds:[esi+10]
004B79CF 890D A4367C00 mov dword ptr ds:[7C36A4],ecx
004B79D5 8B46 04 mov eax,dword ptr ds:[esi+4]
LordPE纠正大小Dump!打开Import 1.6,OEP填B79A6,有14个无效指针,全部CUT,正常运行!
[课程]FART 脱壳王!加量不加价!FART作者讲授!